Importing users from multiple Active Directory domains

“Help! Our environment has more than one Active Directory domain. What are our options to get PaperCut to synchronize users from all the domains?”

In PaperCut it’s possible to synchronize users from more than one source such as Active Directory and LDAP or G-Suite. Synchronizing with multiple Active Directory domains is possible, and this article exists to showcase those options and provide an outline of the steps for each.

When needing to sync users from two or more Active Directory domains, these are the options:

  • Have a trust between domains. Make sure PaperCut is running as a service account with rights to query each of the domains.
  • Set up a secondary sync source in PaperCut with the LDAP connector and point to the other AD domain.

Option 1 - Trust between domains

If your organization already has configured a trust between domains, then this is something that you can leverage with PaperCut.

Steps:

  1. Set up PaperCut to run as a Service Account with rights to query all of the domains.
  2. Log in to the web interface of your PaperCut server as an administrator.
  3. Navigate to the User/Group Sync tab.
  4. Check the box Enable multi-domain support (Advanced).
  5. Enter a semicolon-separated list of the domains in your Forest (up to 20) that you would like to synchronize users from.
  6. Click Test Sync Settings to confirm that the right users will be imported.
  7. Click Apply and Synchronize Now when finished.

Option 2 - use LDAP for the second domain

If the first option doesn’t work for whatever reason, then there’s another method to get users imported from another Active Directory domain, but there are a couple of limitations. The downsides to this method are that it will only work with one additional domain, and it will not support nested groups.

Steps:

  1. Log in to the web interface of your PaperCut server as an administrator.
  2. Navigate to the User/Group Sync tab.
  3. Scroll down to Secondary Sync Source and check the box Enable secondary sync source.
  4. Then for the LDAP Server Type choose Active Directory, and fill out the remaining fields with the correct details for your domain.
    • LDAP Server Address - this can be the IP or Hostname of your Domain Controller.
    • Base DN - the path to where your users live, This could be the entire domain (assuming the domain is papercut.software): DC=papercut, DC=software. or if you wanted to filter it down and only include users from a certain group or OU you could use: CN=Users,DC=papercut,DC=software. For an OU it would be: OU=print-users, DC=papercut, DC=software.
    • Admin DN - the full distinguished name for the user. The default administrator account would be: CN=Administrator,CN=Users,DC=papercut,DC=software. To find this if you go to View > Advanced Features in “Active Directory Users and Computers” then find the user you want to use and right click > properties and select “Attribute Editor” you will see a list of the attributes including “distinguishedName”. Or if you want to use PowerShell, run Get-ADUser [username] which will output the distinguished name and other fields.
    • Admin password - the password for the above administrator account.
  5. Click Test Sync Settings to confirm that the right users will be imported.
  6. Click Apply and Synchronize Now when finished.

Questions and Answers

Q What happens if two users in both domains have the same name?

Currently, if PaperCut comes across two or more users with the same username during a sync, they will be merged into a single user account. However, it is possible prevent this from occurring by configuring PaperCut to synchronize the User Principal Name (UPN) instead. To do so, follow the instructions in our manual to Prevent username clashes in Windows multi-domain environments.


Still have questions?

Let us know! We love chatting about what’s going on under the hood. Feel free to leave a comment below or visit our Support Portal for further assistance.

Categories: How-to Articles, User Management


keywords: multiple domains, trust, user management, same username different domain, duplicate username, different user, non unique username


Special thanks to Johnathan Bennets of Selectec for contributions to this article.

Comments